revised playbook:
---
- name: verify that the logs ownership/perms are belong to system
administrators and service accounts.
hosts: localhost
vars:
stig_id: Test-12345
stig_text: 'FAILED. The Apache web server log files must only be
accessible by privileged users.'
target_file: /tmp/
output_path: "/tmp/stig-{{ansible_hostname}}.txt"
local_action: lineinfile regexp='^Test-12345' path="{{ output_path }}"
state=absent
tasks:
- name:
block:
- name: verify the files' permissions and ownership
find:
paths: "{{ target_file }}"
patterns: "*.txt"
register: permissions
failed_when: >
(permissions.files | selectattr('pw_name', '!=', 'root') |
list) or
(permissions.files | selectattr('gr_name', '!=', 'adm') | list)
or
(permissions.files | selectattr('mode', '!=', '0640') | list)
- set_fact:
stig_text: "{{ stig_id }} PASSED"
rescue:
- name: change the permission and ownership of the files
become: true
file:
path: "{{ item.path }}"
owner: root
group: adm
mode: 0640
loop: "{{ permissions.files }}"
loop_control:
label: "{{ item.path }}"
register: change_perms
- set_fact:
stig_text: "PASSED"
when: change_perms.changed == true
- debug:
msg: "{{ stig_id }} {{ stig_text }}"
always:
- local_action: lineinfile line="{{ stig_id }} {{ stig_text }}"
path="{{ output_path }}" create=yes
On Friday, June 3, 2022 at 8:34:23 AM UTC-4 Thuan wrote:
> Hello,
>
> My current playbook worked and I just want to know if there room for
> improvement.
>
>
> ---
>
> - name: verify that the logs ownership/perms are belong to system
> administrators and service accounts.
> hosts: localhost
> vars:
> stig_id: Test-12345
> stig_text: 'FAILED. The Apache web server log files must only be
> accessible by privileged users.'
> target_file: /tmp/
>
> output_path: "/tmp/stig-{{ansible_hostname}}.txt"
> local_action: lineinfile regexp='^Test-12345' path="{{ output_path
> }}" state=absent
>
> tasks:
> - name:
> block:
> - name: verify the logs ownership
> find:
> paths: "{{ target_file }}"
> patterns: "*.txt"
> register: ownership
> failed_when: >
> (ownership.files | selectattr('pw_name', '!=', 'root') |
> list) or
> (ownership.files | selectattr('gr_name', '!=', 'adm') |
> list) or
> (ownership.files | selectattr('mode', '!=', '0750') | list)
>
> - set_fact:
> stig_text: "{{ stig_id }} PASSED"
>
> rescue:
> - name: change the permission and ownership of the files
> become: true
> file:
> path: "{{ item.path }}"
> owner: root
> group: adm
> mode: 0750
> with_items: "{{ ownership.files }}"
> register: change_perms
>
> - set_fact:
> stig_text: "PASSED"
> when: change_perms.changed == true
>
> - debug:
> msg: "{{ stig_id }} {{ stig_text }}"
>
> always:
> - local_action: lineinfile line="{{ stig_id }} {{ stig_text
> }}" path="{{ output_path }}" create=yes
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/dddf0b80-9367-4e03-949e-ff81ca5c7503n%40googlegroups.com.
